On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote: > Hi, > > Sadly in my testing it seems that CVE-2017-8301 ( > http://seclists.org/oss-sec/2017/q2/145) is still broken with the > latest LibreSSL > (2.5.4) and OpenVPN 2.4.2. > > Here is someone else reporting the same issue; > https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13 > 58/4 > > Of course I may have gotten this wrong somewhere, but for now it seems not > possible to use OpenVPN as a client with TLS static certificate based > server on OpenBSD. > > Hope this helps clarify for anyone else finding the same issue until some > clever person does a fix. > > > Error same with latest; > > Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL > (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017 > > Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10 > > Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed > certificate: < Cert Info > > > Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL > routines:CONNECT_CR_CERT:certificate verify failed > > Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error > > Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read > error > > Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed > > Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process > restarting
This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - you should also be able to workaround the issue by using different CNs for the CA and server certificates (they're likely identical in this case).
